Some solutions security network
Currently, most of the organizations, units, schools are connected to the Internet, partners and has inherited many benefits from it. But the main advantage of this rich potential dangers such as viruses, hackers, etc. tech.
In recent years, many students and practitioners to submit questions “how the network design is safe, secure,” and should I outlined some solutions, today I referred some solutions toword with you discuss and develop many more posts on this topic. Look forward to more Comment exchange your experiences .
II. SOME SAFETY ASSESSMENT CRITERIA FOR NETWORK
According to Microsoft, Cisco, juniper … to assess the readiness and ability to secure computer networks, these criteria are of primary concern are: (see Table 1)
|1||The network of organizations-standard design and deployment of network model (Domain or group)?|
|2||System website and application load balancing system or not?|
|3||Does your organization have deployed firewall system yet? Hardware or software?|
|4||Operating system, software updates to patch yet?|
|5||Does your organization have access logging and monitoring system yet?|
|6||Your Organize data protection and backup like?|
|7||Your Organize system to detect and prevent intrusions?|
|8||Does Your Organize has scan virus with Model Server -Client?|
|9||Which security methods has deployed in Your organization?|
|10||Regular inspection and assessment of the security capabilities of the organization or not?|
|11||Regular train users on the computer network of the organization or not?|
|…||… And some other criteria|
Table 1: Some criteria for evaluating the security of the network
1.1. The principle of security system design
Network security must be established based on the following principles:
+ Protect depth (defense in depth): The system must be protected in depth, split into several floors and separated into different layers. Each layer and the layer will be implemented security policies to prevent or different. On the other hand as well as to prevent a layer or a layer that compromised the intrusions that confined layer or layers only and can not be influenced to the floor or other classes.
+ Using many different technologies: Do not rely on just one technology or technology products for network security of a certain company. Because if its products such as hackers find vulnerabilities are easy to similar products in the company’s network will be through and the stratified, layered defense policy is meaningless. So when conducting stratified, delamination, should use technology products of many different companies to restrict blemishes. At the same time using multiple technologies and security solutions combine to strengthen the defense system as a tool to coordinate Firewall prevents direct, IDS do stuff “sniffing” proactive defense response , Anti-Virus for virus filtering … etc
+ The standard response: The security product must meet certain certification as Common Criteria standard, ISO / IEC 15408: 2005 and ISO / IEC 18405: 2005 EAL4, ICSA Firewall and VPN, FIPS-140 …
From the above criteria and guidelines please give me some solutions follows:
III. GROUPS OF SOLUTIONS
3.1. TEAM SOLUTIONS FOR PLANNING, DESIGN
Design, planning a large network is not merely develop devices that support users to rely on the standard model has been applied to the advanced networks in offices, businesses developing world, it is the network model Orientation Services Architecture (Service-Oriented Architecture – SOA).
3.1.1. Design Infrastructure modeled SOA
SOA architecture consists of three layers:
Network infrastructure layer (layer networked infrasstructure): the network layer link function blocks layered architecture, orderly.
Class interactive services (Interactive services layer) includes a combination of network architecture together constitute the full functionality allows multiple applications can be used on the network.
Application layer (Application Layer): Includes all kinds of collaborative applications and transactions.These applications combined with interactive services provided in the layer below will help deploy quickly and efficiently
In this section, I briefly introduce the method of network design and security are used in the design of large systems and modern network of organizations and large enterprises. Corresponding to the class SOA infrastructure network.
3.1.2. Method layered design – Hierarchical
Hierarchical is a network that consists of multiple LANs in one or more buildings, all connections are usually located in a geographic area. Usually the Campus include Ethernet, Wireless LAN, Gigabit Ethernet, FDDI (Fiber Distributed Data Interface). Designed under the floor, different regions; on each floor, each area is deployed devices, network policies respectively.
Figure 1: Diagram SOA system design according to the regional network, floor.
a) Area LAN
From the model we also found that this area was designed in the floor. Floor core, distributed, remote, medium access layer ensures redundant, network traffic is evenly distributed, the whole network is divided into segments for easier control and security.
b) Area WAN connection
This is providing Internet connectivity to the environment and the member agencies and partners. It must ensure high availability and redundant. So the system load balancing and redundant WAN need to be deployed.
a) public sector servers
This area is commonly known as the demilitarized zone (DMZ Demilitarized zone-) means that in this area is controlled firewall on the server so tight to prevent attacks Hacker, LAN users …
Advantages: backup, easy to develop high-performance, easy to troubleshoot, environmentally appropriate training and research in universities and colleges, large businesses.
+ Difficult to build networks under subclass is relatively high cost, need a team of professional system administrators
3.1.3 Model of service deployment and user management
This model has been implemented on the infrastructure was designed to be the deciding factor to performance and how to manage the system.
In fact, some agencies, enterprises are now deploying network modeled peer networks. This model has been implemented to organize small scale. When the size of the system on hundreds of computers, departments, functions, the management and follow-peer model no longer relevant. Solution deployment and management services according to user client-server model is the optimal solution, the most effective. This system has many advantages and optimization features such as:
– The access to the shared resources on the network.
– To configure the software, automated services for clients, users quickly.
– Implement a security policy for the entire unit is easy, unified, centralized, for example, when the user is not used in the given time, the system will automatically lock, always requires users to set password for the operating system in the regime complex, frequently changing passwords … to prevent hackers using password decryption software.
– Easy to security monitoring, security, logging, etc.
3.1.4. VLAN (virtual LAN)
Current status of the network in a number of businesses today are divided into areas, no flow control as well as download and upload bandwidth Internet access of users. The network model such as a broadcast domain, each packet type is broadcast in any machine can reach all the other computers in the network should have the following problems:
– About Bandwidth: Full business promotion is a huge area, some computers, some users will increase when the unit develop other areas. Therefore bandwidth, the performance of the whole network will be reduced, even often congested.
– About Security: The security controls face many difficulties when the system spread throughout the agency, now.
To solve these problems, we offer solutions divide the network into multiple virtual LANs. VLAN is defined as a logical grouping of network devices, and is based on the functional elements, components, applications of the organization. The VLAN into different modules to help the security, performance management and achieve superior results.
Figure 2: Illustration of many different VLANs in a school
Example: All of the computer lab, experiments in the field of vlan01 whole; departments of vlan02, the wireless VLAN that belongs vlan03 etc. The default will not communicate with each other. When you want to have contact with each other between the VLAN configuration we conducted on routers and router control bandwidth between VLAN. (Figure 2)
3.2. TEAM SOLUTIONS OF SYSTEM TO PREVENT, DETECT OFFENSIVE
3.2.1 Multi-layer firewall system
Firewall system that controls access between the Internet and intranets. Firewalls have 2 categories: hardware and software. Each type has different strengths. Hardware performance is stable, does not depend on the operating system, virus, malware, preventing further protocol at the network layer of the OSI model TCP / IP. The software is very flexible in the configuration of application-layer protocol in the TCP / IP.
For example, the first layer firewall (typically hardware) has eliminated most direct attack on the system web server, mail server, such as distributed attacks (DDOS), which hackers used the creator request access to the server from another computer on the network with high frequency in order to make server overload and lead to stop serving.
But the hacker did not stop there, we can pass system Lual first floor walls with valid packet on the LAN system. In the application layer protocol we can to achieve the purpose. Therefore deploy firewall software will support and increase the security of the entire network. In case, a firewall system fails, the system remaining in control.
Here are solutions to system designers often multilayer firewall, it includes at least the following two stories: the firewall and the firewall before after (Figure 3)
Figure 3: Firewall System with 2 levels before and after
3.2.2. Detection system and intrusion detection IDS / IPS
Currently forms of attack from malicious and more sophisticated. Example: The unit can install the tool (Ethereal, Cain & Abel …) on the work computer or laptop to conduct wiretapping or scan directly to the server, which can taking account of email, Web, FTP, SQL server to change scores, tuition has been paid, the work schedule changes … the form of this type of attack, the firewall system can not be detected .
Effective solution to this situation is to build a system IDS / IPS (Intrusion Detection System / Intrusion Prevention System). IDS / IPS system security is extremely important, it has the ability to detect attacks based on the preset signal or malicious code, abnormal traffic on the network; and can eliminate them before they can cause damage to the system.
3.2.3. List of access control, port safety equipment, network address filtering
a) List of access control
Status departments, … are self-deploy wireless LANs and expanded, especially in rooms with many mobile devices, laptop connections lead to some increase in the internal network, reducing network bandwidth and full hard security controls.
List of access that includes the law allows or prevents packets after reference to the information in the packet header to limit the user can access the internal server systems etc.
b) Security of port equipment, physical address filtering of network devices
In the public network access points, the expansion of LAN users; to access the local server needs to be controlled.
The solution configuration of port security equipment , physical address management solution is extremely secure and efficient in this case.
– Configuration of the device port security on the switch to ensure that the LAN can not be extended without the consent of a system administrator, if violated it, it will turn on the switch port state to prohibit or deactivated state.
– Address the physical address is being installed from the manufacturer. In principle, all the computers on the network will not overlap the addresses. The control according to this address is specific to each computer in the network, unless the user has installed the software and fake addresses in the computer, or the computer open and alternative communication card new network.
– The current network devices are equipped with a function to prevent physical address helps network administrators to control user network utilization, especially wants to deploy a wireless system.
3.3. OTHER SOLUTIONS GROUP
3.3.1 Building the system updates, fixes focus
The first stage of hacker attacks while conducting the survey is to find the target system’s operating system errors, of service, of applications when they are not updated on the website of the supplier.
Situation in the agency, now shows the use of software products hardly update patches, there are also affordable individual on a personal computer, which is an opportunity for hackers to use to exploit the vulnerability. To update patches for all clients in the entire system over the Internet takes time and link bandwidth consuming and inconsistent.
Solutions built system automatically updates from vendors on the Internet to the server and from the server, deployed to all clients across the network.
System WSUS (Windows Server Update Services) Microsoft is not the update patch for the Windows operating system but also update patches for all its products, including Internet Explorer, SQL Server, Office, Mail , Web servers, etc.
3.3.2. Logging, monitoring and supervision systems
Solution to record the session connection, the user’s login session, the course of action that will help network administrators can find traces of users, hackers and errors can cause system earlier . The Web server, email server and application server needs to be enabled logging, storage management information is essential. Hacker professional when entered into the system, not to be missed is the tracks were recorded. Therefore deployment system logs gathered at a dedicated server is another very effective.
The open source software such as Syslog-ng: (http://www.balabit.com); SyslogAgent: (http://syslogserver.com) is a good solution. The system will help us to record the warning messages from the hardware devices such as firewalls, routers, switches, from the Web server, database, and other systems.
b) Monitoring and supervision
Subscribe to supervise the routine work and the importance of a professional network administrator, which is the effective prevention before incidents occur. Tracking, monitoring can:
– Detection on networks with multiple virus spread.
– Monitoring the computers in LAN and Internet environment.
– Monitor the performance of server hardware to upgrade, maintenance, maintenance.
– Detect Hackers are using eavesdropping tools password, the system scans the error and the application.
– Statistics of the connection, the session as well as the abnormal traffic on the network, etc.
3.3.3. Solution data encryption and transmission
The data on the server, personal computer of the agency, now is not safe because the unencrypted content and even go on line. Data that can be read by:
– User successfully logged on to the computer
– Hacker software used to capture (catch) the information on line
– At the servers and computers can store sensitive data that need to share data; in the storage device is necessary to conduct encrypted content, which ensures that if there is loss of storage devices, computer, the attacker can not decrypt the data.
IPsec solution will be implemented in the system and server users and network devices to be configured.
3.3.4. Training users
According to the statistics of network security CERT (Computer Emergency Response Team-http://www.cert.org/ ) showed that approximately 70% of cases of loss of information related to human factors within the system while 30% are from outside the local network of the organization through acts of unauthorized access by hackers system.
According to the standards of information security management (Information Security Management) ISO 17799 / BS-7799, including criteria for “Security personnel (Personnel Security)” describes the responsibilities of staff, the role of fish information security personnel in order to minimize errors due to human error, theft or misuse by the public property.
Therefore the training of users to protect themselves and their resources for computer and the organization is extremely important task.
Training users know how to prevent the hacker tricks such as phishing email. For example, hackers take advantage of curiosity of users joining the Internet to get information when required user input.
Training users to use the tools, software due course, the need for timely reporting to the administrator thong.vv
Training users must adhere to the principle of privacy and information security of the organization, even if they do not participate in the agency.
3.3.5. Anti-virus system
To improve the processing speed of the firewall, network administrators usually not configured to enable advanced filtering firewall (firewall in place to handle large traffic). Then the virus scanner installed to detect and block malicious code, spyware programs, the file has a virus attached email kem.vv But in fact to invest a large amount of the the virus to all computers throughout the agency, the investment cost is high.
To reduce licensing costs, the solution is to deploy anti-virus pattern all-suite. There are many famous brands such as Norton, Kaspersky, Trend micro, etc. can be implemented according to this model.Benefits of implementing the system is:
– Cost reduction than installed on each client
– The new updated version of the machine easily, quickly and effectively.
IV. REFERENCES Andrew R. Baker,Brian Caswell, Mike Poor. Snort Intrusion Detection. 2004.
 Matthew J. Castelli, Cisco Press, LAN Switching first-step, July 08, 2004
 Jazib Frahim, Cisco ASA: All-in-One Tường lửa, IPS, and VPN Adaptive Security Appliance, CCIE No. 5459, Omar Santos, Cisco Press, October 21, 2005.
 Sean Convery, Cisco Press, Network Security Architectures, April 19, 2004
 Diane Teare, Catherine Paquet, Campus Network Design Fundamentals, Cisco Press,December 08, 2005
 Security Criteria for Service Delivery Network, Cable Television Laboratories, 2009
Website: http://www.microsoft.com/security, http://cisco.com/security
Lượt xem (1248)